fal-redesign
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill employs Puppeteer to capture screenshots of local files or URLs. These images are then uploaded to fal.ai's cloud storage using the
@fal-ai/client. If the agent is instructed to process sensitive local files (such as.envfiles or configuration with hardcoded secrets), this mechanism will transmit visual representations of that sensitive data to a third-party API. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data (HTML and brand context) from the user's project.
- Ingestion points:
runtime/src/upgrade.mjsscreenshots the target;runtime/src/implement.mjsandruntime/src/review.mjsingest the original HTML source code. - Boundary markers: The skill uses
BEGIN_HTMLandEND_HTMLtags to delimit the ingested source code within the AI prompts. - Capability inventory: The skill possesses the ability to write files (
writeFileSync), execute shell commands via FFmpeg (spawn), and perform network requests to external APIs (OpenRouter, fal.ai). - Sanitization: No sanitization or filtering is performed on the ingested HTML before it is sent to the LLM for analysis and redesign.
- [COMMAND_EXECUTION]: The
runtime/src/video.mjsscript executes theffmpegbinary usingchild_process.spawnto create design comparison videos. While the arguments are passed as an array, this grants the skill the ability to invoke system-level media processing tools. - [EXTERNAL_DOWNLOADS]: The skill interacts with external services including fal.ai and OpenRouter for design generation and vision-based analysis. It also references common CDNs like Tailwind and Google Fonts in its generated HTML output.
Audit Metadata